The Windows Server Essentials and Small Business Server Bloghttps://blogs.technet.microsoft.com/sbs
The official blog for Windows Server Essentials and Small Business Server support and product group communications.Wed, 14 Mar 2018 12:39:24 +0000en-UShourly1Office 365 Integration fails with “Cannot connect to Microsoft online services” in Windows Server 2012 R2 Essentialshttps://blogs.technet.microsoft.com/sbs/2018/03/14/office-365-integration-fails-with-cannot-connect-to-microsoft-online-services-in-windows-server-2012-r2-essentials/
https://blogs.technet.microsoft.com/sbs/2018/03/14/office-365-integration-fails-with-cannot-connect-to-microsoft-online-services-in-windows-server-2012-r2-essentials/#respondWed, 14 Mar 2018 12:39:24 +0000https://blogs.technet.microsoft.com/sbs/?p=7125Read more]]>We have found a new issue with Windows Server Essentials Dashboard integration wizard with Microsoft Office 365. The Integrate with Microsoft Office 365 wizard may fail to complete with the following error:

In the C:\ProgramData\Microsoft\Windows Server\Logs\SharedServiceHost-EmailProviderServiceConfig.log, we may find the following exception:

BecWebServiceAdapter: Connect to BECWS failed due to known exception : System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at https://bws902-relay.microsoftonline.com/ProvisioningWebservice.svc?Redir=1098557810&Time=636356539931802459 that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 157.56.55.77:443

We can see the provisioning endpoint that the wizard is trying to reach, by running the command: ipconfig /displaydns

However, when we attempt to browse that URL (provisioning web service) in a browser, it may fail with the following exception:

Additionally, when we attempt to do a telnet test to this remote server through the port 443, it fails:

The issue occurs due to a web exception when the Bec Web Service API tries to reach out to the remote endpoint for provisioning purpose. The address is written to the following registry key on the server:

Windows Server Essentials (or the Essentials Experience role found in Windows Server Standard or Datacenter) can be leveraged to quickly provision and enable a full Disaster Recovery site in the cloud using built-in Microsoft Azure integration features. The solution is composed of two Azure products:

Using Windows Server Essentials wizards and setting up the hardware in a working configuration can be challenging and there are a few steps and prerequisites to consider before deploying the server.

Two of our bright stars in the Windows Server Essentials community are Daniel Santos and Alex Fields. Alex is from Minneapolis and he wrote a new series of blogs (leveraging Daniels’s great analysis work) to help folks navigate through the configuration of the hardware and the Windows Server Essentials operating system to enable this disaster recovery solution.

Check out Alex’s blog series on itpromentor.com for a detailed rundown of the configuration steps:

]]>https://blogs.technet.microsoft.com/sbs/2017/09/13/how-to-configure-asr-in-windows-server-essentials-2016/feed/0Windows Home Server 2011 End of Mainstream Supporthttps://blogs.technet.microsoft.com/sbs/2017/07/03/windows-home-server-2011-end-of-mainstream-support/
https://blogs.technet.microsoft.com/sbs/2017/07/03/windows-home-server-2011-end-of-mainstream-support/#commentsMon, 03 Jul 2017 20:11:43 +0000https://blogs.technet.microsoft.com/sbs/?p=6985Read more]]>Windows Home Server 2011 mainstream support ended in the second quarter of 2016. You can see all of the support lifecycle dates on the Microsoft Lifecycle page here.

What does this mean for you?

This means that Microsoft will no longer issue security updates for the Home Server-specific components that make up Windows Home Server 2011. If you are still running Windows Home Server 2008 or Windows Home Server 2011, Microsoft recommends bringing in a new device running Windows Server Standard or Windows Server Essentials and migrating your roles, features and data to the new appliance. Today’s new hardware is significantly faster and cheaper and can better handle the latest Windows security infrastructure, roles and features. Customers moving to a modern operating system will benefit from dramatically enhanced security, broad device support, higher user productivity, and a lower total cost of ownership through improved management capabilities.

Why migrate from Windows Home Server to Windows Server Essentials?
The latest versions of Windows Server Essentials support improvements in security, scalability, and manageability, and it contains device driver support for new hardware and silicon.
• Simplified setup. There is no easier way to set up a server than using the Windows Server Essentials Out-of-Box experience. Windows Server Essentials configures AD, certificate services, and DNS. It helps get a public domain name set up, and it generates and installs SSL certificates and everything you need to get started with your own hybrid cloud setup.
• Data redundancy and single pool of storage. Windows Server Essentials includes a feature called Storage Spaces that provides data redundancy and storage pooling functionality like that provided by Drive Extender in WHS. Windows Server Essentials has a much more reliable and resilient storage subsystem.
• Centralized PC backup and restore. Windows Server Essentials includes the next generation version of the centralized PC backup and restore functionality from Windows Home Server 2011 as well as centralized File History storage for all your PCs. Windows Server Essentials supports up to 75 PC backups vs. Windows Home Server’s 25 PC backup limitation. Windows Server Essentials 2016 also supports backing up volumes to Azure and backing up VMs to Azure Site Recovery (ASR).
• Centralized PC and server health monitoring. Windows Server Essentials includes health monitoring, both for the server itself as well as for all the connected PCs.
• Document and media sharing. Windows Server Essentials can share content using SMB, iSCSI or NFS. Windows Server Essentials 2016 no longer includes the media streaming codecs, however, we found that people were not actually using that feature and they prefer to decode in the respective media applications.
• Remote access. Windows Server Essentials has the remote access gateway feature that automatically generates SSL certificates for your server from GoDaddy. Essentials includes a web-based client for accessing home documents and media, and you can also remote desktop into the server if needed for administration purposes.

The Home Server line of products had a very enthusiastic fan following — it introduced the concept of a server in the house to the world and books appeared to make sense of it all.

Microsoft learned quite a bit helping and supporting hundreds of thousands of home users and small businesses to deploy Windows Server. If you are looking to upgrade your old Windows Home Server, now is a great opportunity to look at the new devices available and move to a modern platform.

An update for the remote web access feature went live in May and so the workaround suggested in this previous blog can be undone. Users will now be able to get to http://servername/remote or https://servername.remotewebaccess.com/remote without errors, regardless of how long the server has been online.

Thanks,
Scott Johnson

]]>https://blogs.technet.microsoft.com/sbs/2017/06/26/windows-server-essentials-2016-update-two-on-remote-web-access/feed/1Information about SBS 2008 Product Support Lifecyclehttps://blogs.technet.microsoft.com/sbs/2017/05/03/information-about-sbs-2008-product-support-lifecycle/
https://blogs.technet.microsoft.com/sbs/2017/05/03/information-about-sbs-2008-product-support-lifecycle/#respondWed, 03 May 2017 05:05:14 +0000https://blogs.technet.microsoft.com/sbs/?p=6935Read more]]>This blogs post underlines the Product Support Lifecycle of the Windows Small Business Server 2008 and its individual components. The support lifecycle for Windows Small Business Server 2008 is determined by its individual component’s support lifecycles.

We are publishing this information as a few SBS 2008 integrated components have reached its end of support. Here are the individual products included with Windows Small Business Server 2008 (Standard/Premium) and their support lifecycle timelines.

The Extended Support End Date for the following products are as follows:

End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. This is the time to make sure you have the latest available update or service pack installed. Without Microsoft support, you will no longer receive security updates that can help protect your PC from harmful viruses, spyware, and other malicious software that can steal your personal information.

Microsoft is committed to provide support to customers facing issues when migrating to supported versions.

Remote Web Access, a feature inside Windows Server Essentials 2016 (also used in the Windows Server Essentials role that is available in Windows Server Standard 2016 and Windows Server Datacenter 2016) may cause users to experience trouble connecting remotely. The issue occurs after Office 365 with AAD Integration is completed and a certain amount of time passes without a reboot, typically 36-48 hours.

The server will be responsive, but the https://servername/remote web site will indicate that it is not accessible and will redirect users to their Administrator with the following message:

There is a temporary workaround discussed on the windows server forum here, and it is a safe workaround to use until the fix is available. The issue is caused by WCF connections not being cleaned up by the Essentials provider framework and they are no longer removed by the CLR in Windows Server 2016. To verify this, you can check the amount of WCF connections by running the following PowerShell command in an elevated console:

netstat -a | select-string ‘:65532’ | measure-object -line

There should be 100-300 connections typically.

The fix has been tested and checked in and it will be available in the May update package for Windows Server 2016. When the kb article is published and the fix is available, I will post about it here.

Thanks,
Scott Johnson
Windows Server Essentials

]]>https://blogs.technet.microsoft.com/sbs/2017/04/17/windows-server-essentials-2016-update-on-remote-web-access/feed/1Windows Server 2016 Essentials is now GAhttps://blogs.technet.microsoft.com/sbs/2016/10/25/windows-server-2016-essentials-is-now-ga/
https://blogs.technet.microsoft.com/sbs/2016/10/25/windows-server-2016-essentials-is-now-ga/#respondTue, 25 Oct 2016 00:45:12 +0000https://blogs.technet.microsoft.com/sbs/?p=6886Read more]]>Windows Server 2016 Essentials has reached the GA (General Availability) milestone as a part of Windows Server 2016 launch. The product is now available in all channels.

]]>https://blogs.technet.microsoft.com/sbs/2016/10/25/windows-server-2016-essentials-is-now-ga/feed/0Fix for Office 365 Integration issue with Windows Server 2012 R2 Essentials has been releasedhttps://blogs.technet.microsoft.com/sbs/2016/10/25/fix-for-office-365-integration-issue-with-windows-server-2012-r2-essentials-has-been-released/
https://blogs.technet.microsoft.com/sbs/2016/10/25/fix-for-office-365-integration-issue-with-windows-server-2012-r2-essentials-has-been-released/#respondTue, 25 Oct 2016 00:39:48 +0000https://blogs.technet.microsoft.com/sbs/?p=6865Read more]]>There was a known issue about Microsoft Office 365 Integration failure on Windows Server 2012 R2 Essentials due to exceeding the maximum message size quota for incoming messages while retrieving the subscription information. We are pleased to inform that the fix for this issue has been included with latest monthly quality rollup for Windows Server 2012 R2:

Microsoft Office 365 may fail to integrate with Windows Server 2012 R2 Essentials with the following exception:

The file SharedServiceHost-EmailProviderServiceConfig.log located at the C:\ProgramData\Microsoft\Windows Server\Logs folder may show the following exception:

The issue occurs due to a scalability issue conflicting with default output buffer size used for subscriptions. This causes a failure during the retrieval of any O365 subscription and breaks the O365 integration feature.

Resolution: The fix for this issue has been included with the monthly quality rollup for Windows Server 2012 R2. Install the following rollup on the server:

On June 14, 2016 Microsoft released MS16-072KB3159398 to fix a vulnerability in Group Policy whereby an attacker can allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine on domain-joined Windows computers. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context. This by-design behavior change protects domain joined computers from a security vulnerability. Any Group policy that performs Security filtering on a per user basis will need to be adjusted now work after MS16-072.

For SBS 2008 and SBS 2011 in particular there are several group policies set up in the product for purposes of controlling the users’ desktop environment and Windows Software Update Services (WSUS) that are directly impacted by this change and will need adjustment in order to continue to work after the application of this patch.

There will be no automated patch to fix this issue on the SBS 2011 platform, thus we recommend that you take the following action to ensure that the default group polices on the SBS 2008 and SBS 2011 server are adjusted as well as checking if any group policies you have placed on the systems are impacted.

I would like to thank various blogs and resources that provided additional information that I am relying on in order to provide the information for the SBS community.

If you’d like to review these additional resources, I’d recommend reviewing Jeremy Moskowitz’s blog, and Darren Mar-Elia’s blog . Additional resources include the AskDS blog, and the JH consulting blog. I would recommend reviewing these additional resources if you manage different Server platforms as the commands and PowerShell scripts are slightly different for different versions of Windows Server.

Prior to MS16-072, Group policy could be set up with security filtering uniquely for computer users. Both the SBS 2008 and SBS 2011 systems as part of the SBSMonitoring service run a routine that every 20 minutes there is a service that synchronizes the SBS created (“stamped”) users with the Security Filtering on the “Windows SBS User Policy” so that the SBS can deploy specific settings to the users desktop environment. If you merely add the Domain computers READ right to the security filtering section in group policy (or any other manual change to security filtering), 20 minutes later you will find this right removed. So we must add this domain computer READ right in a specific way.

I’d first recommend that you review your server(s) and workstations to confirm that the patch has been deployed. Secondly, you will need to review your group policies to asses if they are impacted. An excellent PowerShell script you can use to check your systems is from the PoSHChap blog.

To begin, log into your SBS 2011 server. Find Windows PowerShell under Accessories/Windows PowerShell. Right mouse click and click on Run as Administrator.

Now copy and paste the following script to review what group polices are impacted:

#COMMENT OUT THE BELOW LINE TO REDUCE OUTPUT!
Write-Host “INFORMATION: $($GPO.DisplayName) ($($GPO.Id)) has an ‘Authenticated Users’ permission that isn’t ‘GpoApply’ or ‘GpoRead’” -ForegroundColor Yellow

Either paste the script into your PowerShell window on the server or save it as a .ps1 script and run it. You should see several red warnings that several of your group policies do not have the right permissions.

In reading various scripts online – It turns out there are different PowerShell commands for GP Permissions in 2008/2008R2 vs later versions of Windows. So be aware the solution provided in this blog post specifically works on 2008 and 2008 R2 and does not work on 2012 and 2012 R2. Specially the difference is simple – for 2008 and 2008 R2, replace the Get-GPPermission and Set-GPPermission commands with Get-GPPermissions and Set-GPPermissions in the script and it will work fine.

Secondly – given we have a large number of SBS sites still, I did some specific testing with it. The results of the script means that the following policies are affected by this issue and MAY NOT APPLY if you don’t add the Authenticated Users OR Domain Computers as READ on the Delegation tab for that GPO.

Windows SBS User Policy

SharePoint PSConfig Notification Policy

Update Services Server Computers Policy

Update Services Client Computers Policy

Microsoft have indicated specific conditions for using either Authenticated Users OR Domain Computers with the READ permission. I’ve done quite a bit of investigation and in conversation with Group Policy MVPs, have decided that I will implement this consistently using the Domain Computers group as this works for all scenarios.

Now we need to adjust the permissions so that the group policies work after the installation of MS16-072, the patch of KB3159398.

For SBS 2011 in the PowerShell window cut and paste the following script:

The first line calls the Group policy module for PowerShell, the second line adds the Domain Computers READ right to the delegation tab so that the Security filtering set up by the server can continue to process.

The script should scroll through the settings and adjust the group policies.

The script has done what it needs to do. If you’d like to visually see the impact, if you go to any Group policy object you will now see Domain Computers on the delegation tab with READ rights.

On the Group policy object of Windows SBS User policy you should now see

Domain Computers with a Read right to the Group policy object.

Now run the testing script again to confirm that your group policy permissions have been adjusted.

Once again copy and paste the following script in the PowerShell window or save it as a .ps1 script:

#COMMENT OUT THE BELOW LINE TO REDUCE OUTPUT!
Write-Host “INFORMATION: $($GPO.DisplayName) ($($GPO.Id)) has an ‘Authenticated Users’ permission that isn’t ‘GpoApply’ or ‘GpoRead’” -ForegroundColor Yellow

Your resulting testing screen should not show any red warnings and instead be filled with white and yellow comments:

Your SBS 2011 default group polices will now function as usual.

If you’d like to make all future group polices you set up work by default with the new behavior, you can follow the advice in the section entitled “Making the change permanent in Active Directory for future / newly born GPOs” in the Jeremy Moskowitz’s blog.

For SBS 2008, you’ll need to manually add the READ permission right to the delegation tab as shown:

On the Group policy object of Windows SBS User policy you should now see